build(deps): bump actions/setup-node from 5.0.0 to 6.3.0#126
Open
dependabot[bot] wants to merge 3 commits intomainfrom
Open
build(deps): bump actions/setup-node from 5.0.0 to 6.3.0#126dependabot[bot] wants to merge 3 commits intomainfrom
dependabot[bot] wants to merge 3 commits intomainfrom
Conversation
* feat: trust visitor on login to prevent redundant MFA - Add trustVisitor helper to update user's visitor_id on login - Integrate trustVisitor in loginController and OAuth handler - Add trustUserDeviceOnAuth config option (default: true) - Update findUserByProvider to return user id and visitor_id - Fixes issue where expired canary cookies triggered New Device MFA * feat: Add rate limiting to email MFA and password reset flows Add layered rate limiting to prevent email flooding attacks: - Global limit: 800 emails/day across all email flows (protects costs) - Per-user limit: 8 MFA emails/day per user - Per-IP limit: 5 MFA emails/day per IP Changes: - Add new emailMfaFlow limiter bundle with configurable thresholds - Add emailMfaLimiters schema to configuration - Update sendTempMfaLink to accept ip/res params for rate limiting - Update all MFA callers to handle rate_limited return value - Share globalEmailLimiter between MFA and password reset flows - Improve consumeOrReject/guard types for RateLimiterUnion support - Expand validate-config.cjs to validate all config fields * fixed ratelimiters configuration
* feat: trust visitor on login to prevent redundant MFA - Add trustVisitor helper to update user's visitor_id on login - Integrate trustVisitor in loginController and OAuth handler - Add trustUserDeviceOnAuth config option (default: true) - Update findUserByProvider to return user id and visitor_id - Fixes issue where expired canary cookies triggered New Device MFA * feat: Add rate limiting to email MFA and password reset flows Add layered rate limiting to prevent email flooding attacks: - Global limit: 800 emails/day across all email flows (protects costs) - Per-user limit: 8 MFA emails/day per user - Per-IP limit: 5 MFA emails/day per IP Changes: - Add new emailMfaFlow limiter bundle with configurable thresholds - Add emailMfaLimiters schema to configuration - Update sendTempMfaLink to accept ip/res params for rate limiting - Update all MFA callers to handle rate_limited return value - Share globalEmailLimiter between MFA and password reset flows - Improve consumeOrReject/guard types for RateLimiterUnion support - Expand validate-config.cjs to validate all config fields * fixed ratelimiters configuration * feat: add custom MFA flow with secure code verification Core (Controllers and Routes): - Added initCustomMfaFlow controller with IP restriction, layered rate limiting, and session anomaly detection - Added verifyCustomMfaController for code verification and token rotation - Created magicLinks.ts route file with custom MFA endpoints Middleware and Utilities: - Refactored verifyEmailMFA middleware with improved separation of concerns - Added verifyTempLink middleware for temporary link validation - Created secureRandomCode utility for cryptographically secure code generation - Added verifyMfaCode utility for timing-safe code verification - Added customMfaLinks utility for generating and managing MFA links - Added genericMfaFlowEmail utility for email template handling - Added CustomMfaSchema types for validation Infrastructure: - Added docker-compose.test.yml for containerized test environment - Created config.test.json for test configuration - Updated start.sh with improved startup logic - Updated decrypt.sh for secrets handling Testing: - Refactored test setup with proper database initialization - Updated vitest config for improved test isolation - Fixed all refreshTokens tests to use new setup patterns Docs: - Updated ARCHITECTURE.md with custom MFA flow documentation - Updated DEVELOPMENT.md with testing instructions * feat: implement secure custom MFA flow for email updates and token rotation Backend (Models and API): Added verifyMfaCode utility with atomic transaction support for custom actions Implemented updateEmailController with strict validation and session revocation Added revokeAllRefreshTokens logic to refreshTokens.ts Updated verifyJwt to integrate strangeThings anomaly detection Added generic sendEmailNotification helper and new email templates Configured routes for custom/mfa and update/email Added TypeScript types for Emails and UpdateEmail payloads Emails & Notifications: Created new EJS templates for OTP and Notifications Added systemEmailMap configuration for new email types * refactor: use unified email system for custom MFA links Backend (Models and API): Updated initCustomMfaFlow to extract and pass EmailMetaDataOTP (device, browser, location) Refactored customMfaLinks to use mfaEmail from systemEmailMap instead of legacy genericMfaFlowEmail Removed deprecated genericMfaFlowEmail.ts Simplified user lookup in customMfaLinks (removed unused name selection) * feat: Introduce `SKIP_CONFIG_UNLINK` environment variable to conditionally prevent config file deletion and standardize package dependency versions. * feat: provide a passive mode configuration for the bot detector when disabled and update its initialization logic, alongside adding a Zod dependency override. * chore: Update zod dependency, adjust bot detector whitelist, and disable bot detector in test configuration. * fix: resolve rate limiter key length issues and refine response handling Backend (Models and API): - Updated guard utility to hash rate limiter keys exceeding 255 characters (fixing MySQL VARCHAR limit) - Removed redundant success response from initCustomMfaFlow (handled by finally block) - Refactored zodSafeStringMaker to correctly chain schema checks and transforms * refactor: remove redundant rate limiter and content-type check from verifyMFA, make magic link thresholds configurable Middleware (verifyEmailMFA): - Removed duplicate guard(uniLimiter) call that double-consumed rate limit budget - Removed redundant req.is(application/json) check already handled by contentType middleware upstream - Removed unused imports for guard, getLimiters, and consecutiveForSlowDown cache Middleware (verifyTempLink): - Replaced hardcoded allowedPerSuccessfulGet and allowedPerSuccessfulPost constants with per-flow configurable values from getConfiguration - Each verification handler now reads its own thresholds: adaptiveMfa, linkPasswordVerification, customMfaFlowsAndEmailChanges - Increased default allowedPerSuccessfulPost from 1 to 3 to allow code retry on typo Config Schema (configSchema): - Added thresholds object to magic_links config with three scoped sub-objects - Used Zod prefault to guarantee defaults cascade even when consumer provides no config * refactor: replace `console.warn` with structured logger for content type validation warnings. * feat: add breached password detection via HIBP k-Anonymity API Security: - Added isPwned utility using HaveIBeenPwned Passwords API with k-Anonymity range search - SHA-1 prefix/suffix split ensures passwords never leave the server - LRU cache with 15min TTL prevents redundant API calls - Padding header enabled to resist traffic analysis Backend (Controllers and Middleware): - Signup controller blocks registration with breached passwords - Password reset middleware rejects breached passwords before DB connection - Login controller returns advisory breached field in response for client-side warnings Testing: - Added integration tests against real HIBP API - Covers known-breached passwords, random passwords, SHA-1 correctness, caching, and padding * refactor: introduce prefix-based caching to `isPwned` function to reduce external API calls. * fix: stabilize MFA verification and logout flows Backend (Models and API): - Fixed ERR_HTTP_HEADERS_SENT in logout controller by clearing cookies before response - Enhanced verifyMfaCode to return detailed user metadata on success - Updated verifyTempLink middleware with robust validation logic - Refined configSchema and system email templates for better error handling Testing: - Validated logout flow completes without header errors - Confirmed MFA verification returns expected metadata structure
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 5.0.0 to 6.3.0. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@a0853c2...53b8394) --- updated-dependencies: - dependency-name: actions/setup-node dependency-version: 6.3.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
Sergo706
force-pushed
the
dependabot/github_actions/actions/setup-node-6.3.0
branch
from
299a09a to
53e5f66
Compare
Author
|
A newer version of actions/setup-node exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps actions/setup-node from 5.0.0 to 6.3.0.
Release notes
Sourced from actions/setup-node's releases.
... (truncated)
Commits
53b8394Bump minimatch from 3.1.2 to 3.1.5 (#1498)54045abScope test lockfiles by package manager and update cache tests (#1495)c882bffReplace uuid with crypto.randomUUID() (#1378)774c1d6feat(node-version-file): support parsingdevEnginesfield (#1283)efcb663fix: remove hardcoded bearer (#1467)d02c89dFix npm audit issues (#1491)6044e13Docs: bump actions/checkout from v5 to v6 (#1468)8e49463Fix README typo (#1226)621ac41README.md: bump to latest released checkout version v6 (#1446)2951748Bump@actions/cacheto v5.0.1 (#1449)You can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)